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Abstract 

The replacement (or collection or choice) axiom scheme BB(T) as- 
serts bounded quantifier exchange as follows: 

Vi< \a\ 3x <a<j)(i,x) — > 3w\/i< \a\ cf>(i, [w]i) 

where <ft is in the class T of formulas. The theory 5^ proves the scheme 
BB(E5), and thus in S 2 X every formula is equivalent to a strict 
formula (in which all non-sharply-bounded quantifiers are in front). 
Here we prove (sometimes subject to an assumption) that certain the- 
ories weaker than do not prove either BB(E^) or BB(Eq). We 
show (unconditionally) that V° does not prove BB(S^), where V° 
(essentially I£g b ) is the two-sorted theory associated with the com- 
plexity class AC . We show that PV does not prove BB(Sq), assuming 
that integer factoring is not possible in probabilistic polynomial time. 
Johannsen and Pollet introduced the theory C associated with the 
complexity class TC°, and later introduced an apparently weaker the- 
ory A\ — CR for the same class. We use our methods to show that 
A\ — CR is indeed weaker than C®, assuming that RSA is secure 
against probabilistic polynomial time attack. 

Our main tool is the KPT witnessing theorem. 



1 Introduction 



We are concerned with the strength of various theories of bounded arithmetic 
associated with the complexity classes P, TC°, and AC . Our goal is to show 
that some of these theories cannot prove replacement, which is the axiom 
scheme 

Wi< \a\ 3x<a<fi(i,x) — > 3wVi< \a\ <fi{i, [w]i). (1) 

(where (f)(i,x) can have other free variables). We use BB(r) to denote re- 
placement for all formulas in a class T (usually Eq or E^). Replacement is 
also sometimes known as "collection" (eg. [11]) or "choice" (eg. [20]). We 
begin by briefly describing the main theories of interest. 
The language of first order arithmetic that we use is 

{0,l,+,;<,\x\,(x)i, [x) h x#y}. 

Here \x\ is the length of x in binary notation, (x)i is the ith bit of x, [x]i 
is the ith element of the sequence coded by x, and xj^y is 2' x ''' y L All our 
theories in this language are assumed to include a set of axioms BASIC fixing 
the algebraic properties of these symbols; see [2, 11] for more detail. 

In the first order setting we will look at BB(Eq), or "sharply bounded 
replacement" . A sharply bounded or Eq formula is one in which every quan- 
tifier is bounded by a term of the form |£|. A Ej formula is a sharply bounded 
formula preceded by a mixture of bounded existential and sharply bounded 
universal quantifiers. A strict Ej formula is a sharply bounded formula pre- 
ceded by a block of bounded existential quantifiers. 

The strongest theory we look at is S\ [2] , defined as BASIC together with 
"length induction" , that is the LIND axiom 

0(0) A Vx<\a\ (0(x) -> <f>{x + 1)) -> 0(H) (2) 

for all Ej formulas 0. 

S% proves BB(Ej), and hence for every S^-formula there is a strict-E^ 1 
formula 0' such that S\ proves (0 <-> 0'). This fact may have influenced 
Buss's [2] original decision not to choose strict E^ as the standard definition 
of H\. The general definition allows Buss to prove [2] Thm 2.2 showing that 
if a theory T + extends T by adding E^-defined function symbols then Ej 
formulas in the extended language are provably equivalent to E^formulas in 
the original language. This result may not hold if Ej is taken to be strict 
Tj\ and T does not prove replacement. We show here that certain weaker 
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theories (likely) do not prove replacement. For these theories, strict Ej is a 
more appropriate definition, and extensions by E^-defined functions must be 
handled with care. 

The first order theory we will use most often is PV [4] (called PVi in [11] 
and QPV in [5]). This is defined by expanding our language to include a 
function symbol for every polynomial time algorithm, introduced inductively 
by Cobham's limited recursion on notation. These are called PV functions, 
and quantifier free formulas in this language are PV formulas. One way to 
axiomatize PV is BASIC plus universal axioms defining the new function 
symbols plus the induction scheme IND 

0(0) A Vie < a (0(x) -> (j)(x + 1)) -> 0(a) 

for open formulas 0(x). However it is an important fact that PV is a universal 
theory, and can be axiomatized by its universal consequences [2, 5]. 

PV and S*2 are closely linked to the complexity class P. The provably total 
Ej (or even strict Ej) functions in these theories are precisely the polynomial 
time functions. S% is E^-conservative over PV [2], but PV cannot prove the 
Ej-LIND axiom scheme (2) for S% unless the polynomial hierarchy (provably) 
collapses [13, 3, 20]. 

First order theories are unsuitable for dealing with very weak complexity 
classes such as AC , in which we cannot even define multiplication of strings. 
In this setting it is more natural to work with a two-sorted or "second order" 
theory. V° is the theory described in the Notes [6], page 56. It is based on 
Eg-comp [20] and is essentially the same as IEq b . The two sorts are numbers 
and strings (finite sets of numbers). The axioms consist of number axioms 
giving the basic properties of 0, 1, +, ■, <, two axioms defining the "length" 
|X| of a finite set X to be 1 plus the largest element in X, or if X is 
empty, and the comprehension scheme for Sp 3 formulas. The Eq 3 formulas 
allow bounded number quantifiers, but no string quantifiers, and represent 
precisely the uniform AC relations on their free string variables. 

If we add to V° a function X ■ Y for string multiplication, we get a 
theory equivalent to the first order theory Eq — LIND. The number sort 
would correspond to sharply bounded numbers and the string sort to "large" 
numbers; the Eq 3 induction available in V° would correspond to Eq — LIND. 

With this correspondence (known as RSUV isomorphism [18, 17]) in 
mind, we consider V° and the first order fragments of S% as fitting naturally 
into one hierarchy of theories of bounded arithmetic. The only differences 
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between the two approaches will be in the notation for strings and sequences. 
(z)i = 1 in the first order setting corresponds to Z(i) or i G Z in the second 
order setting; [z]i corresponds to (see next paragraph). 

In second order bounded arithmetic the replacement scheme (1) becomes 

Wi<n3X<n(f)(i,X) -> 3W\/i<n(f)(i, W^). 

Here 3X <n<p stands for 3X(|X| < n A <p) and W^(u) is formally W((i, u)) 
where (i,u) is a standard pairing function (so is row i in the two- 
dimensional bit array W). 

Our main results are that V° does not prove replacement (uncondi- 
tionally) and that, unless integer factoring is possible in probabilistic poly- 
nomial time, PV does not prove Eq replacement. (As mentioned above, S% 
does prove Eq replacement.) 

We summarize our results with a picture of the structure of theories 
between S% and Vq. An arrow on the diagram represents inclusion. To 
the right of an arrow we give a sufficient condition for the two theories to 
be distinct. A bold arrow indicates that this condition is true, and that the 
theories in fact are distinct. To the left of an arrow we show the conservativity 
between the two theories. 

We will begin with the bottom of the diagram. We have already talked 
about V° and PV. A^ — CR was introduced by Johannsen and Pollett in [10] 
to correspond to the complexity class TC° of constant-depth circuits with 
threshold gates. The E^ functions provably total in A\ — CR are precisely 
the uniform TC° functions. The theory is defined as the closure of the BASIC 
axioms and the LIND axioms for open formulas under the normal rules of 
logical deduction together with the A^-comprehension rule: if we can prove 
that a Ej formula 4>(x) is equivalent to a Yl\ formula ip(x), then are allowed 
to introduce comprehension for </>, 

3w\/i < \a\ , (w)i — 1 <-» 4>(i). 

A\ — CR proves induction for sharply bounded formulas, so we can think 
of V° as a subtheory of it. In fact [14] defines an extension VTC° of V° by 
adding an axiom for the function NUMONES(A) (which counts the number 
of l's in the string X) and proves VTC° is RSUV isomorphic to A^ — CR. 
But VTC° proves the pigeonhole principle, as represented by a E^ formula 
PHP(A, n) [14], and V° does not [6]. Hence A\ — CR is strictly stronger 
than V°. 
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The A^-comprehension rule is a derived rule of PV. This is because by 
results in [2] if a formula is provably A\ in PV, then PV proves that the 
characteristic function of is computable in polynomial time, and hence that 
comprehension holds for <j). Thus PV is an extension of A\ — CR. 

PV is separated from A\ — CR by the circuit value principle, which says 
that "for all circuits C and all inputs x, there exists a computation of C on 
x" . This is provable in PV, but under the assumption that P does not equal 
uniform TC° it is not provable in A^ — CR. 

Turning now to the top of the diagram, [2] proves the VE J-conservativity 
of Si over PV. If PV + BB(E£) proves S%, then PV h S* [20] and hence the 
bounded arithmetic hierarchy collapses to PV and the polynomial hierarchy 
PH collapses to Ef n 1% [20, 3]. 

The V3E^-conservativity of V° + BB(E^) over V° is from Zambella [20]. 
Eq — LIND + BB(Eq) was introduced in [9] by Johannsen and Pollett (where 
they call it (7°), and proved to be VEj conservative over A\ — CR in [10]. 
From these conservativity results it follows that ^° + BB(E^) does not prove 
the pigeonhole principle and A^ — CR + BB(Eq) does not prove the circuit 
value principle (unless P equals uniform TC°), which gives us the separations 
between the three theories with replacement. 

In the body of the paper we show the separations between the theories 
with and without various kinds of replacement, using a similar argument in 
all cases. 

In section 2 we describe how our general argument goes. In section 3 we 
use it together with the fact that parity is not computable in nonuniform 
AC to separate V° from V° + BB(Eq). 

In section 4 we show that if PV proves Ep-replacement, then factoring is 
possible in probabilistic polynomial time. (This strengthens a result in [19] 
where the weaker conclusion "RSA is insecure" was proved.) We observe 
that this is true even if we look at weak versions of Ep-replacement, where 
we code very short sequences of witnesses; for example BB(Eq, ||x||) in the 
diagram is the scheme of replacement for sequences of double-log length: 

Vi< ||a|| 3y <a(f)(i,y) — > 3wWi< \ \a\ \ <f>(i, [w]i). 

The dotted line in the diagram represents the fact that if factoring is hard, 
then all the theories BB(Eq, |x|), BB(Eg, | |x| |), BB(Sg, 1 1 \x\ 1 1), ... are dis- 
tinct (in fact we show something slightly stronger than this). By a similar 
argument, all these theories are distinct over V° (in place of PV), without 
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any assumptions, but for the sake of tidiness we have not put this on the 
diagram. 

The theory of strong A\ comprehension is like A^ — CR, except that rather 
than having a rule that if a formula is provably A\ then comprehension holds 
for it, we have the U A\ comprehension axiom scheme" 

\/x (4>(x) «-> -iif)(x)) — > 3wWi < \a\ (<p(i) <-> (w)i = 1) (3) 

where <j),ip G Ej (and may contain other parameters); so comprehension 
holds for in a structure, if <ft is A\ in that structure. The question is raised 
in [10], whether this theory is strictly stronger than A\ — CR. We show that 
it is, under a cryptographic assumption. We consider a principle not shown 
on the diagram, which we call "unique replacement" . We show that if RSA is 
secure against probabilistic polynomial time attack then PV does not prove 
unique replacement, and that it follows that PV, and hence A\ — CR, does 
not prove the A\ comprehension axiom scheme. 

We have not looked for a separation between this last theory and Eq — 
LIND + BB(Eq). 

A preliminary version of this paper appears in [7]. 

2 Witnessing with an interactive computa- 
tion 

First we recall a standard lemma. 

Lemma 1 Over BASIC, ^-replacement is equivalent to strict ^-replacement. 
Hence overPV, ^-replacement is equivalent to replacement for PV formulas, 
since PV proves that every PV formula is equivalent to a strict T,\ formula. 

Similarly overV , T,q -replacement is equivalent to Ef -replacement, where 
a Ef formula is a E^ formula preceded by a block of bounded existential string 
quantifiers. □ 

Our main tool in this paper is the KPT witnessing theorem. We state it 
here for PV, although it holds in a much more general form. 

Theorem 2 [13] Let <fi be a PV formula and suppose PV h Va; 3y \/z (p(x, y, z). 
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Then there exists a finite sequence fx, ■ ■ ■ , fk o/PV function symbols such that 
PV h WxWz, </>(x, fi(x), zx) V 0(x, f 2 (x, zx), z 2 ) 

V ... V <f>(x, f k (x, Z\,..., Zk-l), z k ). 

Proof Let 6, ci,c 2 ,... be a list of new constants, and let ti,t 2 ,... be an 
enumeration of all terms built from symbols of PV together with b, c±, c 2 , ■ 
where the only new constants in are among {b, c±, ...,Ck-i}. It suffices to 
show that 

PV U {^0(6, t 1? ci), -10(6, t 2 , c 2 ), . . . , -10(6, t fc , c fc )} 

is unsatisfiable for some k. 

Suppose otherwise. Then by compactness 

pvuH(Mi, Ci ),^(m 2i c 2 ),...} (4) 

has a model M. Since PV is universal, the substructure M' consisting of the 
denotations of the terms t±,t 2 , ... is also a model for (4). It is easy to see that 

M' \= PV + Vy3z^0(6, y, z) 

and hence PV 1/ Vx3yVz<f)(x, y,z). □ 

Now choose a function / which can be computed in polynomial time 
but which is hard to invert. Suppose PV proves the following instance of 
replacement (which has a and y as parameters, and m — \a\): 

Vi<m3u<a f(u) = [y]i -> IwVj <m f([w]j) = [y]j. 

We can rewrite this as 

3i<m3wVu<a, f(u) = [y]i -> Vj<mf{[w\j) = [y]j. 

Applying our witnessing theorem, we get k G N and functions gi, . . . , g% and 
hi, ... hit (which have suppressed argument), such that 

PV h Vz<a, 

if(zi) = [y} 9 i(y)^V3<™f(My)W = [y]j) 

V (f(z 2 ) = [y) 92 (y, Zl ) -> Vj'<m/([/i 2 (2/,^i)L) = 

V . . . 

Vj<m/([/ifc(2/,zi,...,Zfc_i)y = 
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This allows us to write down an algorithm which given an input y (considered 
as a sequence [y] , . . . , [?/] m _i) will ask for a pre-image of / on at most k 
elements of y, and with this information will output a number w coding a 
sequence of pre-images of all m elements of y. 

The algorithm is as follows. Let w = hi(y). If Vj < m f([w]j) = [y]j then 
output w and halt. Otherwise calculate gi(y) and ask for a pre-image of 
[y] gi ( y )] store the answer as z 1 . Then let w = h 2 (y, zi). If Vj < m f([w]j) = [y]j 
then output w and halt. Otherwise calculate g2(y,zi) and ask for a pre- 
image of [y] g2 (y,z 1 )', store the answer as z 2) and so on. By our assumption 
the algorithm will run for at most k steps of this form before it outputs a 
suitable w. 

Now fix a such that \a\ — m > k, and choose a sequence [x] , . . . , [s] m -i 
of numbers less than a. Let y encode the pointwise image of x under /. Run 
the algorithm above, and reply to queries with elements of x. We will end 
up with w encoding a sequence of pre-images of y, which will clash in some 
way with our assumption that / is hard to invert. If / is an injection, w will 
be the same as x; we use this in section 3. If / is not an injection and x 
was chosen at random, then w is probably different from x\ we use this in 
sections 4 and 5. 

The important properties of PV used in the argument above are that it is 
universal and can define functions by cases (needed for the KPT witnessing 
theorem) and that it can manipulate sequences. We show now how to make 
V° into a universal theory in which we can carry out the same argument. 

We start by referring to [6], pp 66-73. A relation R(x, Y) is in (uniform) 
AC iff it is defined by some J^q formula A[x,Y). A number function / : 
N fc x ({0, 1}*)' — > N is an AC function iff there is an AC relation R and 
a polynomial p such that 

f (x,Y) = mm z < p(x,\Y\) R(z,x,Y) (5) 

A string function F(x,Y) is an AC function iff \F(x, Y)\ < p(x,\Y\) for 
some polynomial p, and the bit graph 

B F (i,x,Y)=F(x,Y)(i) 

is an AC relation. 

We denote by V°(FAC°) a conservative extension of V° obtained by 
adding a set FAC° of function symbols with universal defining axioms for 
all AC functions, based on the above characterizations. FAC° is essentially 
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IZ — def in [20].) This can be done in such a way that ^°(FAC°) is a universal 
theory. In particular, the comprehension axioms follow since for every 
Y,q formula there is a FAC° string function whose range is the set of strings 
asserted to exist by the the comprehension axiom for <fi. Further, from (5) it 
is clear that for every formula <f> there is a quantifier-free formula <p' in 
the language of V°(FAC°) such that 

V°(FAC°) h (0 <-> 0') 

From these remarks, it is clear that the usual proof of the KPT witnessing 
theorem can be adapted to show the following: 

Theorem 3 Let <f>(X, Y, Z) be a formula such that V° h \/X3Y\/Z(f)(X, Y, Z) . 
Then there are FAC° functions F 1 , F k such that 

V°(FAC°) h VXVZ, 

<S>{X, F 1 (X), Zt) V <j>{X, F 2 (X, Z 1 ), Z 2 ) 
V... Vcj)(X,F k (X,Z 1 ,...,Z k _ 1 ),Z k ). 

Using this we can show that if V° proves -replacement, then for any 
AC function F there exists k G N and a uniform AC algorithm that will 
find a pre-image under F of any sequence Y^°\ . . . , y[ m_1 ] of strings by asking 
at most k queries of the form "what is a pre-image of yW?" 

3 Replacement in V° and parity 

Let PARITY be the set of all strings over {0, 1} with an odd number of Is. 
By a (nonuniform) AC circuit family we mean a polynomial size bounded 
depth family (C n : n G N) of Boolean circuits over A, V, -i such that C n has 
n inputs and one output. Ajtai's theorem [1, 8] states that no such circuit 
family accepts PARITY. 

We show that if V° proves the replacement scheme, then (using 
KPT witnessing) there exists a (uniform) randomized AC algorithm for 
PARITY. This algorithm shows the existence of a (uniform) AC circuit 
family such that each circuit has a vector f of random input bits in addition 
to the standard input bits, and with probability p > 2/3 the circuit correctly 
determines whether the standard input is in PARITY and with probability 
1 — p the circuit produces an output indicating failure. From this a standard 
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argument shows the existence of a nonuniform AC circuit family for parity, 
violating the above theorem. 

Let PAR be the function that maps a binary string of length m to its 
parity vector. That is, PAR(m, Y) = X if |X| < m and, for each i < m, 
X(i) is the parity of the string Y(0) . . . Y(i). In what follows we take m to 
be a parameter, assume Y is an m-bit string, and suppress the argument m 
from PAR(m,Y). 

Plainly PAR(Y) cannot be computed in AC . However its inverse, which 
we will call UNPAR, is in uniform AC : the ith bit of UNPAR(X) is given 
by the formula (i = AX(i)) V (i > AX(i - 1) © X(i)). Here UNPAR 
has an argument m, which we suppress. 

Notice also that for all m-bit strings A, B, C, writing © for bitwise XOR, 
HA = B®C then PAR(A) = PAR(B) © PAR(C). 

Theorem 4 V° does not prove BB(Ejf). 

Proof Suppose V° h BB(Ejf). Then applying the argument of section 2 
to the function UNPAR, for some fixed k there is a uniform AC algorithm 
which, for any sequence Y^°\ . . . , Y^ m ~ 1 ^ of binary strings of length m makes 
k queries of the form "what is PAR(Y^)T i and outputs the sequence of 
parity vectors of Y. 

We will show how to use this algorithm to compute the parity of a single 
string in uniform randomized AC . Suppose m > 3k and let / be the input 
string of length m which we want to compute the parity of. 

Choose m strings U , . . . , C/ m _i in {0, l} m at random, and for each i com- 
pute Vi = UNPAR{Ui). Choose a number r, < r < m, uniformly at 
random. Define the string Y (thought of as an m x m binary matrix) by the 
condition 



Since for each m the function UNPAR defines a bijection from the set 
{0, l} m to itself, and since for each / with |/| < m the map Ih/$I also 
defines a bijection from that set to itself, it follows that the string Y defined 
above, interpreted as an m x m bit matrix, is uniformly distributed over all 
such matrices. 

Now run our interactive AC algorithm on Y. If the algorithm queries 
"what is PAR(yW)?" for i ^ r, reply with Ui (which is the correct answer). 
If the algorithm queries "what is PAR(Y^)T\ then abort the computation. 
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Since at most k different values of i are compared to r and since for each 
input / each pair (Y, r) is equally likely to have been chosen, it follows that 
the computation will be aborted with probability at most k/m < 1/3. 

Hence with probability at least 2/3 the algorithm is not aborted, we 
are able to answer all the queries correctly, and we obtain W such that 
WM = PAR(yM) = PAR(I © V r ). But I = V r © (/ © V r ) and hence 

PAR(I) = PAR(V r ) © PAR(I © V r ) 
= U r © W [r] 

We use this to compute PAR(I) and use bit m — 1 of PAR(I) to determine 

whether J e PARITY. 

For each input J the algorithm succeeds with probability at least 2/3, 

where the probability is taken over its random input bits. 

Since no such AC algorithm exists, it follows that V° does not prove the 
replacement scheme. □ 



4 Replacement in PV and factoring 

We adapt the proof [16] that cracking Rabin's cryptosystem based on squar- 
ing modulo n is as hard as factoring. 

Let n be the product of distinct odd primes p and q. Suppose < x\ < n 
and gcd(xi,n) = 1. Let c = x\. Then c has precisely four square roots 
^1,^2,^3,^4 modulo n, as follows. 

Let x p = (xi mod p) and x q = (xi mod q) . By the Chinese remainder 
theorem there are uniquely determined numbers x±, X2, X3, X4 with < Xj < n 
such that 

Xi = x p (mod p) X\ = x q (mod q) 
X2 = x p (mod p) X2 = — x q (mod q) 
£3 = — x p (mod p) x 3 = Xq (mod q) 
£4 = — x p (mod p) x 4 = — x q (mod q) 

Now xi — X2 = (mod p) and Xi — X2 = 2x q ^ (mod q), so gcd(xi — 
£2> ri ) = P- So from Xi and X2 we can recover p, and similarly from X\ and 
£3 we can recover q. 

Hence if we have one square root of c, and are then given a square root 
at random, we can factor n with probability ~. 
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Theorem 5 // PV proves replacement for sharply bounded formulas, then 
factoring (of products of two odd primes) is possible in probabilistic polyno- 
mial time. 

Proof We will use our standard argument, taking squaring modulo n as 
our function f (so f has parameter) . 

If PV proves BB(Sq) then there is polynomial time algorithm which, for 
some fixed UN, given any sequence y , . . . ,y m -i of squares (modulo n), 
makes at most k queries of the form "what is the square root of and, if 
these are answered correctly, outputs square roots of all the yiS. 

Now suppose n is large enough that m — \n\ > k. Choose numbers 
Xq, . . . ,x m _i uniformly at random with < Xj < n. We may assume that 
gcd(xj,n) = 1 for all i, since otherwise we can immediately find a factor of 
n. 

For each i let yi = (a^modn). Let y code the sequence yo, ■ ■ ■ y m -x, 
so [y]i = yi. Notice that each Xi is distributed uniformly amongst the four 
square roots of [y]i. 

Run our algorithm, and to each query "what is the square root of 
answer with av We will get as output w coding a sequence [w} , . . . , [w] m _i 
of square roots of [y] , . . . , [y] m -i- 

If we think of n as fixed, the value of w depends only on the inputs 
given to the algorithm, namely y and the k many numbers Xi that we gave as 
replies. Let i be some index for which X{ was not used. Then x^ is distributed 
at random among the square roots of [y]i, and [w]i is a square root of [y]i 
that was chosen without using any information about which square root Xi 
is. Hence gcd(xj — [u>]j,n) is a factor of n with probability \. □ 

Notice that the only property of the function | | we used was that we could 
find some n with \n\ > k. So any nondecreasing, not eventually constant 
function would do in the place of | |. Hence if PV only proves replacement 
for very short sequences, that is still enough to give us factoring. 

In fact under the assumption that factoring is hard we can show that 
these replacement schemes form a hierarchy. For any a with one argument, 
let BB(a,PV) be the axiom scheme: 

Wi < a{b) -3y<b (j)(i, y) — > 3w Vz < a{b) <fi(i, [w]i) 

for all PV formulas <p. We will assume that our base theory proves that 
ot(x) < \x\ and that a is increasing. 
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We need a generalization of a result of Zambella, lemma 3.3 of [20]. The 
lemma there is presented for a two-sorted system similar to V° and with \x\ 
rather than a(x). 

An 3 b PV formula is a PV formula preceded by a bounded existential 
quantifier; modulo PV this is the same as a strict formula. 

Lemma 6 Any model N \= PV has an 3 6 PV -elementary extension to a 
model M \= PV + BB(a,PV) such that every element of M is of the form 
f(a,b) for some f G PV, a G N and b C a(M), where a(M) = {x G M : 
x < a(y), some y G M}. Informally, M is formed from N by only adding 
new u a-small" elements and closing under PV functions. □ 

Proof Let L be the language of PV with the addition of a name for every 
element of N, and let T be the universal theory of N in this language, so every 
model of T will be an 3-elementary, and hence 3 6 PV-elementary, extension of 
N. Enumerate as (t±, 4>i(x, y)), (t 2 , <f>2(%, y)), ... all pairs consisting of closed 
terms in L and binary PV formulas with parameters from L. We will use 
this to construct a chain T = T C T\ C T 2 C . . . of theories. 

Suppose that Tj has been constructed and is a consistent, universal theory. 
If Tj h Va;< a(t i+1 ) 3y 4>i+i (%, y) then put T i+1 = Tj. Otherwise introduce a 
new constant symbol c and put 

T +1 = T U {c < a(t l+l )} U {Vj/-.0 i+ i(c,2/)}. 

Note that T + i is consistent and universal. 

Let T* be the union of this chain of theories, and let L* be L together 
with all the new constant symbols that were added in the construction of T*. 
Enumerate all pairs of closed terms and binary formulas in L*, and repeat 
the above construction to get a theory T** and a language L**. Repeat this 
step uj times, and let T + be the union of the theories and L + its language. 

T + is consistent and universal, so there is a model M 1= T + each element 
of which is named by some closed L + -term. M N T, so M is an 3 6 PV- 
elementary extension of N. Also, each time a new constant c was introduced 
to L + , c < a(t) was introduced to T + for some term t. So M is the closure 
of elements of N and new "a-small" elements, as required. 

To show that M is a model of BB(a,PV), suppose that a is an element 
of M and 4>(x, y) is a PV formula with parameters from M, and 

M \= Vx<a(a) 3ycj)(x, y). 
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Then by the construction of M, we may assume that a is named by some 
closed L + term t and that <j)(x, y) is a parameter-free L + formula; and by the 
construction of T + we must have that T + h Vx < a(t) 3y<fr(x,y), since T + 
either proves this or its negation. But T + is a universal theory, so by using 
Herbrand's theorem and the properties of PV we can find a PV function 
symbol / (with parameters) such that T + h Vx < a(t) (p(x,f(x)). Now by 
the comprehension available in PV, we can find some w G M such that 
M N Wx<a(t) (f>(x, [w] x ), as required. □ 

We can now adapt the proof of the KPT witnessing theorem to get the 
following: 

Theorem 7 Suppose 

PV + BB(a, PV) h Vx By Vz y, z) 

for an 3 6 PV formula 0. Then there exist k <EN, a term s(x, z) and functions 
fi, . . . , fk such that 

PV hVxV^, 3*<a( S ) fc 0(x, [A^Ji, [zx]i) 

V 3i<a(s) fc 0(x, [f 2 (x, 2i)]i, [z 2 ]i) 

V ... V 3z<a(s) fe 0(x, [f k (x,zi, . . . ,z fc _i)]i, [z fc ]j) 

(we include the exponent k here because the range of a might not be closed 
under multiplication) . 

Proof Enumerate all pairs of PV functions as (si, /i), (s 2 , ^2), • • • with infi- 
nite repetitions in such a way that for each k both Sk and take k or fewer 
arguments. Assume that the conclusion of the theorem is false, and let T be 
the theory 

PV+{Vz<a( Sl (6,c 1 )) 1 -0(6, [/!(&)]<, [dJO, 

Vz <a(s 2 (6, c 1; c 2 )) 2 -0(6, [/ 2 (6, ci)] i; [c 2 ]j), . . .} 

where 6 and c\, c 2 , . . . are new constant symbols. Then T is finitely satisfiable 
(we can take the term s in the statement of the theorem as the sum of our 
finite set of terms s±,...,Sk)- 

Let N be a model of T, and let N' C iV be the substructure consisting 
of all the elements named by terms. Since T is universal, N' \= T. Let M 
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be the extension of N given by lemma 6 to a model of BB(a, PV). By 3 b PV 
element ariness, M is also a model of T. 

Now let a be any element of M. By the construction of M, for some 
d C a(M), some e G N' and some PV function g we have a = g(d,e). 
Furthermore by the construction of N' we know that d < a(h\(b, c\, . . . , Ck)) 
and e = h 2 (b, c±, . . . , cj.) for some /c and some PV functions hi and /&2- 

In this paragraph we identify a number i < a(hi(b, c)) k with the sequence 
i = i\...ik of numbers less than a(hx(b, c)) that it codes. We can find 
/ > k such that /; is the PV function symbol that takes as input b, ci, . . . , q 
and outputs (as a single number) the sequence wi . . • w a (/ n (6. C i,..., Cfe )) fc where 

= g(i, h 2 (b, ci, . . . , c fe )). Then a = [/ z (6, ci, . . . , cj)] d and since M |= T we 
have M |= -<(j)(b,a, [c z+ x]d)- Here a was chosen arbitrarily, so we have shown 
that M |= PV + BB(a,PV) + ^Vx3yVz0(x,y,z). □ 

Corollary 8 Suppose that factoring is not possible in probabilistic polyno- 
mial time. Then BB(a,PV) is not provable in PV + BB(/3, PV), for terms 
a, (3 where a(x),fl(x) < \x\ and a grows faster than any polynomial in (3. 

Proof Our standard argument is that if replacement is provable in PV, 
then there is a polynomial time interactive algorithm that queries k square 
roots and outputs \n\ square roots, for some fixed k G N. 

By theorem 7 we can show, by a similar argument, that if PV+BB(/3, PV) h 
BB(ct, PV) then we have a polynomial time interactive algorithm that queries 
k/3(n) h square roots modulo n and outputs a(n) square roots, for some fixed 
k G N. 

So if n is sufficiently large that a(n) > k(3{n) k , we can use the argument 
of theorem 5 to factor n. □ 

This gives a hierarchy of theories 

PV + BB(|x|,PV) D PV + BB(||x||,PV) D ... 

The same argument goes through in V°. One way to see this is to notice 
that the important difference between PV and V° is that the PV functions 
are closed under polynomial time iteration, and no such iteration is used in 
the proof here. So we have the unconditional separation result 

Theorem 9 BB(a, Ejf) is not provable in V° + BB(/5, S^) ; for terms a, (3 
where a(n),/3(n) < n and a grows faster than any polynomial in (3. 
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Proof If the theorem is false, then there is k G N and an interactive algo- 
rithm that, given a(n) many vectors v%, . . . , v a r n \, each of length n, will make 
k(3(n) k queries of the form "what is the parity vector of w,?" and then output 
the parity vectors of all the u$s. So if a(n) > 3k/3(n) k , then by adapting the 
argument of section 3 we get a probabilistic uniform AC algorithm which 
computes parity. □ 



5 Unique replacement in PV and RSA 

We define "unique replacement" to be the scheme 

Wi< \a\ 3\x<b(p(i,x) — > 3wWi< \a\ </>(i, [w]i). 

Theorem 10 //PV proves unique replacement for sharply bounded formu- 
las, then the injective WPHP for PV formulas can be witnessed in probabilis- 
tic polynomial time (and hence in particular we can crack RSA [12]). 

Proof (Simplified from the model-theoretic proof in [19].) First notice that 
it is sufficient to show that PV does not prove unique replacement for some 
PV formula <fi. For suppose that <fi is decided by the polynomial time machine 
with code e, and that for some fixed % there is a unique x such that <f)(i,x). 
Then there is a unique pair (z, x) such that z is an accepting computation 
of the machine e on input (i,x), and the property of being an accepting 
computation is sharply bounded. 

In the rest of this proof x and y will code sequences of |n| numbers each 
of size < n' n ' and with elements [x]i, [y]i, and z will code a sequence of \n\ 
numbers each of size < n and with elements 

Suppose that h is a PV function from n'™' to n. Note that from any PV 
function g : 2n — >• n we can derive such a function h with the property that 
a witness to WPHP for h yields in polynomial time a witness to WPHP for 
g ([15], or see [19] for an explicit polynomial time construction). 

Choose x < n' n l at random and let z < be such that (z)o = 

h([x] ), • • • , (z)\ n \-l = h([x]\ n \- X )- 

Assume that PV proves the following instance of unique replacement: 

3z'<|n| Vw<n |n| h(u) ^ (z)i 

V 3i< \n\ 3u 1 <u 2 <n^ h(u x ) = h(u 2 ) 

V3y<n\ n \ 2 Vi<\n\h([y] t ) = (z),. 
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Then by our witnessing theorem, for some k (independent of n) there 
is a deterministic interactive computation which takes n and z as its initial 
input. Then for k steps it gives us an index i < |n| and expects an input 
y < n' n '; if we can guarantee that for each such step we have h(y) = (z)i, 
then the computation outputs either u\ and U2 mapping to the same thing, 
in which case we are done (and this case is the only one that is different from 
normal replacement), or y < satisfying Vz< \n\ h([y]i) = (z)i. 

Run the computation, and to each index i queried respond with [x]i. The 
computation must output some y satisfying Vi < \n\ h([y]i) = (z)i. Now the 
computation is deterministic, and if we think of n as fixed, there were n' n '^ +1 ^ 
possible different inputs to the machine: namely n' n ' different possibilities for 
z and (n' n ') fc different possibilities for the k responses [x];. Hence there are at 
most n' n ' < - fc+1 ' ) possible outputs y. However x was originally chosen at random 

I 1 2 

from n |n| possibilities. So if k < n — 1 then with high probability x is not 
a possible output of the machine, so x ^ y and for some i < \n\ we have 
[x]i ^ [y]i but h{[x)i) = (z)i = h{[y]i). □ 

Notice that part of this argument can be formalized in PV, to show 
that if PV proves unique replacement, then PV proves that the surjective 
WPHP for PV functions implies the injective WPHP for PV functions. In 
the proof above randomness was used to find some x outside the range of a 
given polynomial time algorithm; in the formal PV proof we would use the 
surjective WPHP to provide such an x. 

Corollary 11 Suppose PV proves the A\ comprehension axiom scheme (3). 
Then PV proves unique replacement for PV formulas and by theorem 10 we 
can crack RSA. 

Proof Let <p(i, x) be any PV formula (with parameters) and suppose that 
the hypothesis of the theorem holds. Let M \= PV, a, b G M and suppose 
M |= Vz< |6| 3\x<a<p(i,x). Then 

M |= Vi<\b\Vj<\a\, 

Eb < a (cj)(i,x) A Xj = 1) «-> Wx<a (4>(i,x) — > Xj = 1). 

Over PV, is equivalent to both a H\ and a formula, so we can apply 
comprehension and get some w such that 

M |= Vi<\b\Vj<\a\, 

{[w]i)j = 1 <-> 3x < a (<f)(i, x) A Xj = 1). 
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Here we assume without loss of generality that a is a power of 2, so that we 
can switch easily between thinking of w as a binary sequence of length |6||a| 
and as a sequence of \b\ many binary numbers [w]i . . . [w]\b\, each of length 
\a\. We also use the fact that in PV the formula 4>(i,x) can be written in 
both a strict and a strict Tl\ way, which we need to apply comprehension. 

Now pick any i < \b\. There is some unique x G M such that <f>(i, x); and 
by the construction of w, for each j < \a\ we know ([iu]i)j = 1 if and only if 
Xj = 1. Hence [w]i = x. 

So M \=Vi<\b\<f>{i, Hi). □ 
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